I have an SRX210BE-1MB latest JUnOS.
There is a Hub-Spoke Vpn setup and can route traffic between spokes and hub(Srx trust zone).
There is a seperate VPN is point-to-point to a SonicWall firewall in it's own zone.
I can't seem to route traffic between multipoint tunnel st0.6 (hub/spoke VPN) to point-to-point tunnel st0.1 (SonicWall VPN).
I've tried with polices including intra-zone to turn on internal policy routing (ex. zone Sonic to zone Sonic).
Any helpful suggestions how to route any or all spokes (hub/spoke vpn) to another vpn that is (point-to-point)?
Zone VPN-MULTIHOME to Zone VPN-SONICWALL.
Im not sure if SRX can work with sonicwall for hub and spoke. (If my understanding is correct based on your post).
In my opinion, you do normal srx policy based vpn with proxy-ids that matches your sonicwall subnet for the vpn tunnel .
hope this helps...
The hub-spoke setup on srx is only with remote firewalls that are Juniper/Netscreen based. (SSG5, Netscreen 5GT) I'm able to route traffice just fine on the setup.
The point-to-point setup with a SonicWall is a seperate configuration on same srx and works fine. The sonic wall has my subnets from spokes and srx trust zone. I can only ping sonicwall subnet from my trust zone and not from spokes.
I don't know or can figure out how to route from a spoke tunnel to active vpn to SonicWall. I'm sure it's something so simple, I'm overlooking it....
Thanks for the article. It does point out only ONE proxy id on route based vpn. Guess I'll need to look into changing to policy based to get multiple proxy-ids (spokes) through that sonicwall vpn.
Right, proxy id only supports one pair in a configuration.
You can use traffic selectors with route based vpn to add multiple subnets on the vpn. Naturally the sonicwall side also has to have the same pairs of networks setup as well.
Thanks to everyone who replied!
Learned new feature in JUNOS today: traffic-selector
Now I can route from my Hub-Spoke vpn to point-to-point vpn. Spokes are happy!
The SRX has open proxy id by default so that any ip address can be encrypted and sent in the tunnel. This is not supported on Sonicwall. So you will have your pairs of allowed traffic setup on that tunnel via proxy id or tunnel selectors.
This means that only the local address subnets on those lists will be allowed to enter the sonicwall tunnel. So likely your remote spoke sites are not on this list.
You can ask that the sonicwall tunnel be expanded to include all the subnets that you want to include as traffic. But if you have a very large number of sites there is likely a limit to the number that can be put there.
The other option is to source nat the spoke site address to a local address on the SRX that is allowed in the sonicwall tunnel. Then the traffic can go into the tunnel and be returned.
However, this will only work for traffic that is geneated by spokes into the sonicwall tunnel. The remote sonicwall devices will not be able to initiate the session.
Thank you, Steve.
I did notice I had the local subnet on srx as a local proxy id on the vpn. I changed it to one of the spoke subnets and I can ping to SonicWall.
So far working as expected. Now I just need to include all spokes (5 of them) in 10.10.X.X in local proxy id.
Not sure how to add multiple local proxy id's for this VPN. I tried with 10.10.0.0/16. Can I add multiple local and remote proxy-ids on this vpn?
bind interface st0.4
local 192.168.90.0/24 ---> this is local subnet on srx trust. Spokes are 10.10.76.0, 10.10.77.0...)